According to the FBI’s 2017 cybercrime report, fraudulent emails resulted in a total loss of nearly $1.4 billion. Furthermore, Wombat Security (now part of Proofpoint) reported 76% of businesses were victims of phishing attacks in 2017.
How are phishing attacks so successful? The scammers behind them are masters of social engineering, the practice of manipulating people into handing over sensitive information such as passwords or credit card information. In phishing attacks, this is done by creating emails just convincing enough to gain users’ trust, and their data.
However, if you know the signs to look for in a phishing attack, you’ll know how to protect yourself and your organization. Check out the email below received by a security expert at our sister company, Pearl Insurance, and learn what common traits you should look for in a phishing email.
1. Sender address.
One immediate sign that an email is fraudulent is the sender address. While attackers cannot create email addresses with the domain name of the company they’re trying to imitate, they can create URLs that are similar enough to almost look legitimate. In this case, the attacker went with “secure.micra-soft.com,” but other scammers may use a .net, .org, or .co domain when the actual domain is .com. Always make sure the domain is correct, and if you’re not sure, search for the company on Google.
Some spearphishing campaigns may even come in the form of emails seemingly sent from your manager asking you to perform some task, such as purchasing a large amount of gift cards. While they may be able to spoof your manager’s name, they can’t spoof your manager’s actual email address. If the sender address doesn’t match your manager’s, it’s a scam.
2. Logos that don’t quite look right.
Reputable companies like Microsoft have access to crisp, clear versions of their logo, but attackers may not have that luxury. Look for grainy, pixelated images, or logos with misspellings like the email above.
Carefully read through the email and take time to understand what they’re asking from you. Most companies will flat-out tell you they will never ask for any of your personal information unsolicited, and that’s a good rule of thumb. Unless you requested to verify or change your information, don’t trust such requests.
Another common trait to look for in phishing emails is poorly written messages. Although not all phishing emails will contain them, misspellings (“here by”) and grammatical errors (capitalization in the middle of a sentence) are telltale signs of a phishing attack. Skimming the email may be habit, but not reading carefully could cost you in the long run.
Finally, beware links. First and foremost, do not click the link. Phishing attacks will typically include links that drive users to a form where they actually enter their personal information. In a manner of speaking, this is the scammer’s call to action. Hover your cursor over the URL—do not click the link—and you’ll notice the link doesn’t go to a legitimate website. In the case of the above email, the link’s URL is a jumbled mess of numbers and letters. Just like the sender address, if the address doesn’t contain the real company’s actual domain, it’s a scam. And again, do not click the link.
So it’s a scam. Now what?
Trash it. Delete it. Get rid of phishing emails however you can once you recognize them for what they really are. If you’re part of an organization with multiple users, alert your IT department of the email so they can notify all users of the attack. If they came after you, they may also come after your co-workers.
This article is for informational purposes only.